New Facebook phishing scam urges victim to share a SMS code to enter a lottery

Heads up. A new type of phishing scam on Facebook – that is already being used to target social media users in Finland – could be making its way to a Facebook chat message near you, or rather, to you, very soon.

This new type of phishing scam has been targeting Finnish Facebook users and Finland’s National Cyber Security Centre has already issued a bulletin about it.

And as with many similar Facebook scams, it all starts with a chat message sent to you over Messenger by someone you’re friends with on Facebook. Only it’s not really your Facebook friend. It’s a scammer who has managed to gain access to your friend’s account and is now pretending to be them.

This is how the scam works –

  • The victim gets a message from their Facebook “friend” (actually the scammer) asking for the victim’s phone number so the “friend” can enter them into a prize draw, sweepstake or lottery.
  • The “friend” tells our victim they should receive a confirmation SMS message come through with a code, and the victim needs to give the “friend” that code so they can enter them into the draw.
  • However, there is no prize draw. The SMS code was actually the victim’s authorisation code that allows the “friend” (scammer) to gain access to the victim’s Facebook account.
  • The scammer accesses the victims Facebook account and changes the password and associated email address, thus taking over the account and is now able to send the same scam messages to the victim’s Facebook friends.

If someone tries to change a person’s Facebook password (i.e. by selecting the Forgot Password option) they need to prove they really are the owner of the account. One way Facebook do this is to send an SMS message with a code in it to the owner of the account.

This scam is essentially a way of tricking the victim into sending that code to a scammer.


Sponsored Content. Continued below...




Here is a screenshot of a conversation released by the Finnish National Cyber Security Centre (translation below) of the scam in action.


– hey can you give me your mobile number
– thanks i participated in the contest i am sending a text message
– if you get a message with a code send it to me
– okay?
– I just sent you a message with the code
– thanks, wait 1 minute
– let’s now see what you get in the race

The Finnish National Cyber Security Centre also warned that in some cases, the scammers continued talking to the victim, claiming they actually won the prize draw in a bid to lure the victim into also handing out their bank details.

Double whammy.

There are some notable drawbacks to this scam for the scammers.

Firstly, the scammer has to rely on the fact that the victim has given their phone number to Facebook.
And secondly, the scammer has to hope the victim doesn’t twig on to the fact that the SMS message was sent by Facebook, and actually nothing to do with entering a prize draw.


Sponsored Content. Continued below...




To avoid this scam…

Treat any message sent to you asking for personal information – sent by a friend or otherwise – as suspicious. Always confirm with the friend (in person or over the phone) that the message is legitimate.

Never share codes sent to you via SMS to people over the Internet. If someone is asking you to share a code sent to you via SMS, then there is a good chance they are trying to scam you.